Examen A Completo PDF

Página 1 de 54
Item: 1 (Ref:Cert-70-290.1.2.1)
You are a network administrator for your company. A Windows Server 2003 computer on your corporate
network contains a software-based RAID-5 volume. Users' home folders are stored on that volume. The
server functions normally for several months. One day, users report that access to their home folders has
become unusually slow. Your investigation reveals a failed hard disk that is part of the RAID-5 volume. You
must correct the deterioration of performance and ensure that users can access their home folders as usually.
Which of the following should you do?

Replace the failed disk. In Disk Management, initialize the new disk, convert it into a dynamic disk, and
then repair the volume.
In Disk Management, break the RAID-5 volume and remove the failed disk. Then, replace the failed disk.
In Disk Management, rebuild the RAID-5 volume.
Replace the failed disk. In Disk Management, convert the new disk to dynamic and format it by using
NTFS.
Only replace the failed disk and restart the server.
Answer:
Replace the failed disk. In Disk Management, initialize the new disk, convert it
into a dynamic disk, and then repair the volume.
Explanation:
Redundant Arrays of Independent Disks (RAIDs) can be hardware-based or software-based. The RAID
configuration of a hardware-based RAID device is implemented through its controller. A hardware-based
RAID device appears in Disk Management as a single hard disk. The RAID configuration of a software-based
RAID volume is implemented through the operating system. In Disk Management, a software-based RAID
volume appears as a volume that consists of several regions of equal size that span multiple physical disks. A
software-based RAID-5 volume is a redundant volume that is made of three or more physical disks. If one of
the disks in a RAID-5 volume fails, the volume will continue to function; however, access to the data on that
volume will be noticeably slower because the data on the failed disk will be reconstructed by using a
substantial amount of calculations, which tax the computer's CPU.
To correct the problem in this scenario, you should first of all replace the failed disk. The new disk appears in
Disk Management as Not Initialized. Before you can start using the new disk, you must initialize it. The
initialization involves writing a master boot record and a disk signature. Next, you should convert the new disk
into a dynamic disk because only dynamic disks can participate in RAID volumes. Finally, you should right-
click the failed region of the RAID-5 volume and select Repair Volume. The unallocated space on the new
disk will be used to replace the failed region of the RAID-5 volume. After that, you can remove the failed disk
from Disk Management. Once the new disk has become part of the repaired RAID-5 volume, it will be
automatically formatted and the necessary data will be written to it in order to provide redundancy. Once all
these processes have completed, the performance of access to data on the RAID-5 volume will return to
normal.
You cannot break a RAID-5 volume; only a RAID-1, or mirrored, volume can be broken. Breaking a mirror
refers to the process of converting a mirrored volume into two separate simple volumes. You cannot format a
disk; only volumes can be formatted. You should not create any volumes on the new disk, nor should you
format them. Only unallocated space on a dynamic disk can be used to repair a RAID-5 volume with failed
redundancy.
Copyright © 2010 Transcender LLC, a Kaplan Professional Company. All Rights Reserved.
Página 2 de 54
Item: 2 (Ref:Cert-70-290.1.2.2)
You are your company's network administrator. A Windows Server 2003 computer on your corporate network
hosts a line-of-business database application. Transaction logs for that database are stored on a software-
based RAID-1 volume. The server functions normally for several months. One day, during a scheduled
maintenance, you notice that one of the disks in the RAID-1 volume has failed. You shut down the server and
replace the failed disk with a new disk. Then, you turn the server on; you must ensure that the RAID-1 volume
is fully functional and no data loss has occurred.

You do not need to take any action; the RAID-1 volume will repair itself automatically, when the server is
started.
In Disk Management, remove the failed disk from the RAID-1 volume; initialize the new disk, convert it to
a dynamic disk, and then add it to the RAID-1 volume.
In Disk Management, import the new disk, convert it to a dynamic disk, and format it by using NTFS.
In Disk Management, initialize the new disk, convert it to a dynamic disk, and then use the Repair
Volume command to repair the RAID-1 volume.
Answer:
In Disk Management, remove the failed disk from the RAID-1 volume;
initialize the new disk, convert it to a dynamic disk, and then add it to the
RAID-1 volume.
Explanation:
Redundant Arrays of Independent Disks (RAIDs) can be hardware-based or software-based. The RAID
configuration of a hardware-based RAID device is implemented through its controller. A hardware-based
RAID device appears in Disk Management as a single hard disk. The RAID configuration of a software-based
RAID volume is implemented through the operating system. In Disk Management, a software-based RAID
volume appears as a volume that consists of several regions of equal size that span multiple physical disks. A
software-based RAID-1, or mirrored, volume is a redundant volume that is made of two physical disks, which
contain identical sets of data. If one of the disks in a RAID-1 volume fails, the volume will continue to function
and no data loss will occur as long as the surviving disk remains operational.
To correct the problem in this scenario, you should first of all replace the failed disk. When you start the server
after that, the new disk will appear in Disk Management as Not Initialized. Before you can start using the new
disk, you must initialize it. The initialization involves writing a master boot record and a disk signature. Next,
you must convert the new disk into a dynamic disk because only dynamic disks can participate in RAID
volumes. The failed disk will still appear in Disk Management; instead of Disk X, where X is the ordinal
number of the disk, it will be designated as Missing, and its status will be Offline. The status of the mirrored
volume will be displayed as Failed Redundancy on both disks that host the mirrored volume. You should
right-click any one of the two regions of the RAID-1 volume, select the Remove Mirror command, and click
the failed disk in the Remove Mirror dialog box. The mirror will be removed from the failed disk, and no
volumes will be displayed on that disk. To remove the failed disk from Disk Management, you should right-
click the failed disk and select Remove Disk. Finally, you should right-click the surviving mirror, select the
Add Mirror command, and click the new disk in the Add Mirror dialog box.
You cannot use the Repair Volume command to repair a mirrored volume; this command can be used to
repair only a RAID-5 volume. You cannot format a disk; only volumes can be formatted. You should not create
any volumes on the new disk, nor should you format them. Only unallocated space on a dynamic disk can be
added to a mirrored volume with failed redundancy.
Página 3 de 54
Item: 3 (Ref:Cert-70-290.2.2.1)
You are your company's network administrator. Your corporate network consists of a single Active Directory
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. There
are about 1,000 users on the network. As part of your disaster recovery plan, you want to periodically back up
user profiles. Currently, all users use local profiles, which makes it difficult to include them in regular backups.
You are planning to maintain user profiles in a central location on a server. You must configure all user
accounts to use roaming profiles. You must accomplish this task with the least administrative effort.

Instruct each user to specify the location of the profile in the user account properties in Computer
Management on the user's client computer.
Specify the profile location in the Default Domain Policy GPO.
In Active Directory Users and Computers, select all user accounts and specify the profile location in the
properties of the selection.
Specify the profile location in the Default Domain Controllers Policy GPO.
In Active Directory Users and Computers, specify the profile location in the properties of each user
account.
Answer:
In Active Directory Users and Computers, select all user accounts and
specify the profile location in the properties of the selection.
Explanation:
A user profile is a collection of settings that define the user's environment on a computer, such as desktop
appearance, Start menu shortcuts, application data, and so on. By default, when a user logs on to the domain
for the first time from a specific client computer, a local profile is created on that computer; the profile is stored
in a subfolder of the Documents and Settings folder that has the same name as the user's domain user
account. Alternatively, a user account can be configured to specify that a profile be stored on a server, instead
of a local computer. Such profile is known as a roaming profile because it follows the user from computer to
computer. To configure a user account to use a roaming profile, you can specify a path to a shared folder on a
server in the user account's properties in Active Directory Users and Computers.
Suppose you want all user profiles to be stored in the folder C:\Profiles on a server named Server1. You
should share the C:\Profiles folder on Server1 and assign a name to the share; for example, ProfileShare.
To configure each user's profile to be stored in a subfolder of that folder, you can type a UNC path, such as
\\Server1\ProfileShare\user_name, to the user's profile in the Profile path box on the Profile tab of the
Properties sheet for the user's account in Active Directory Users and Computers. However, configuring each
user's account individually would require considerable amount of time and effort. To configure roaming
profiles for all user accounts simultaneously, you can select all appropriate user accounts in Active Directory
Users and Computers, right-click the selection, open the Properties sheet for the selection and specify a
UNC path in the Profile path box on the Profiles tab. To ensure that the profile path is unique for each user
account, you should use the %username% variable in the path. For example, if you type \\Server1
\ProfileShare\%username% in the Profile path box in the Properties sheet for the selection, then a
subfolder will be automatically created in the ProfileShare folder for each user account. The name of the
subfolder will be the same as the user's logon name.
The scenario requires that roaming profiles be configured for domain user accounts. You cannot accomplish
this task by using Computer Management on client computers because the user accounts that appear in
Computer Management are local user accounts. You should use Active Directory Users and Computers to
manage domain user accounts. The location of roaming profiles cannot be configured by using Group Policy.
Página 4 de 54
Item: 4 (Ref:Cert-70-290.2.2.2)
You are a network administrator for your company. Your corporate network consists of a single Active
Directory domain. All servers run Windows Server 2003, and all client computers run Windows XP
Professional. A written company policy defines a standard desktop environment that must be implemented for
all users on the network. Each time a user logs on, the desktop environment must be the same, regardless of
the changes that the user may have made during previous sessions. If a user makes any changes to his or
her desktop environment, those changes must be discarded when the user logs off. You must enforce the
company policy.

For each user account, configure a profile path to a network share. In each user's roaming profile,
rename the NTuser.dat file to NTuser.man.
For each user account, configure a profile path to a network share. Assign only the Allow - Read
permission for the share to the Authenticated Users group.
Rename the NTuser.dat file to NTuser.man in each user's local profile.
Configure all user accounts to use the same roaming profile. Configure the Default Domain Policy GPO
to prevent changes to roaming profiles.
Answer:
Configure all user accounts to use the same roaming profile. Configure the
Default Domain Policy GPO to prevent changes to roaming profiles.
Explanation:
To enforce a uniform desktop environment for all users, you should create a mandatory user profile and
configure all user accounts to use that profile. A mandatory profile is a roaming profile that users cannot
change. You should log on to a client computer with a regular, non-administrative domain user account. A
local profile will be automatically created for that account by using the Default User profile as a template. You
should configure the appropriate desktop and other personal settings, and then log off. The desktop
environment that you have created will be saved to the local profile. Then, you should log on by using your
administrative user account and copy the created profile to a network share. To configure all domain users to
use that profile, you should select all user accounts in Active Directory Users and Computers, right-click the
selection, select Properties, select the Profile tab, and type the UNC path to the profile folder in the Profile
path box. To prevent users from changing the profile, you should enable the Prevent Roaming Profile
changes from propagating to the server policy in Default Domain Policy or another domain-level Group
Policy object (GPO). You should also configure a folder redirection policy for the My Documents folder.
Redirecting My Documents to a network share is necessary in this scenario because, although all users will
be using the same profile, they should have separate My Documents folders.
Each profile contains a file named NTuser.dat, which includes the registry-based portion of the profile. An
alternative way of making a profile mandatory, is by renaming the NTuser.dat file in the profile to
NTuser.man. However, using a GPO is the recommended way of preventing users from changing a roaming
profile. Additionally, to meet the requirements of the scenario, it is not sufficient to specify a UNC path to a
shared folder in user account properties without creating a common profile and saving it to that folder. If you
specified a unique profile path for each user account, then a separate profile would be created for each user
when the user logged off for the first time, and you would have to rename the NTuser.dat file to NTuser.man
in each profile separately. If you specified the same path for all user accounts, then a profile would be created
for the user who logged off first. The system would automatically assign such permissions for that profile that
other users would be prevented from using it.
If you configured a profile, placed it to a network share and assigned read-only access to the share, but did
not rename the NTuser.dat file to NTuser.man, then users would not be able to use that profile; instead, they
would have to use default local profiles.
Renaming the NTuser.dat file to NTuser.man in each user's local profile would make those profiles
mandatory. However, this solution does not meet the requirement of the scenario to enforce a uniform
desktop environment for all users because each user would have a different local profile.
Página 5 de 54
Página 6 de 54
Item: 5 (Ref:Cert-70-290.2.2.3)
You are your company's network administrator. Your company's network consists of a single Active Directory
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. Users
in the Sales department are provided with portable computers because they often travel to work at customer
sites. Some of the sales representatives report that they cannot log on to the domain from their portable
computers when they are out of the office. You must ensure that all sales representatives can always log on
to the domain.

Create roaming user profiles for those sales representatives who cannot log on when they are out of the
office.
Enable the offline files feature on all portable computers.
Move all computer accounts for the portable computers of the sales representatives into an OU, create a
GPO that contains a policy that requires all logons to be validated by a domain controller, and link the
GPO to the OU.
Instruct the sales representatives who cannot log on to the domain when they are out of the office to log
on to the domain from their portable computers at least once while they are connected to the network.
Answer:
Instruct the sales representatives who cannot log on to the domain when
they are out of the office to log on to the domain from their portable
computers at least once while they are connected to the network.
Explanation:
For a user to log on to the domain, the user's credentials must be validated by a domain controller. After the
first successful logon to the domain, the user's credentials are cached on the client computer. If subsequently
no domain controllers are available to validate the user's logon request, then those cached credentials are
used to enable the user to log on to the domain. It appears that some of the sales representatives in this
scenario have never connected their portable computers to the network, and, therefore, those computers do
not have the sales representatives' domain user account credentials cached. For those users to be able to
successfully log on to the domain while working off site, they should first connect their portable computes to
the corporate network and log on to the domain at least once, so that their credentials are cached on those
computers.
A roaming profile is a user profile that is stored in a shared folder on a file server, rather than on a local
computer. Offline files is a feature that allows users to cache certain files from network shares to their local
computers. The problem in this scenario is not related to roaming profiles or offline files. An administrator can
configure a Group Policy object (GPO) that sets the number of times that domain users' credentials can be
cached, so that the users could log on without being authenticated by a domain controller only a limited
number of times. The Interactive logon: Number or previous logons to cache (in case domain controller
is not available) policy can be set to a number between 0 and 50. If you set this policy to 0, then all logon
attempts would have to be validated by a domain controller and users would not be able to log on to the
domain offline by using their cached credentials from the computers affected by that policy.
Página 7 de 54
Item: 6 (Ref:Cert-70-290.2.2.31)
You are a network administrator for your company. Your company's network consists of a single Active
Directory domain. You are responsible for creating new account objects in Active Directory. You create
VBScript scripts to automate some of the tasks.
You have created a VBScript script to create a new organizational unit (OU) named DevTemp, create a new
group named Contractors and a new user account named Heidi Jones in the DevTemp OU, and add that
user account to the Contractors group. When Heidi attempts to log on to the domain, she is unable to do
so. You open Active Directory Users and Computers and see the information shown in the following exhibit.
Then, you examine the Properties sheet for Heidi's user account and see the information shown in the
following exhibit.
Página 8 de 54
You must ensure that Heidi can log on to the domain with the appropriate access permissions. You must
determine which line or lines in the VBScript script should be modified. To complete the objective, select the
line or lines that should be modified. You can select as many lines as necessary.
This graphic is not available in print format.
Explanation:
The following exhibit depicts the lines in the Visual Basic Script (VBScript) file that should be modified.
Página 9 de 54
Administrators can use VBScript scripts with Windows Script Host (WSH) to manage objects in Active
Directory. VBScript files contain the .vbs file extension and can be run from the command prompt using the
command wscript ScriptName .vbs . In this scenario, you have created a VBScript script that creates an OU
named DevTemp, a group named DevTemp, and a user account named Heidi Jones. However, your goal
was to create a group named Contractors, not DevTemp. Therefore, you should replace the line
Set oGroup = oOU.Create("Group", "cn=DevTemp")
with the line
Set oGroup = oOU.Create("Group", "cn=Contractors")
Additionally, you have mistakenly set the AccountDisabled property of the user account to True , thereby
disabling the account. You should enable the user account by using the following line to set this property to
False:
oUser.AccountDisabled = False
Your modified VBScript file should look similar to the one shown in the following exhibit.
Página 10 de 54
Página 11 de 54
Item: 7 (Ref:Cert-70-290.2.2.5)
You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. Your
company has purchased several identical Plug-and-Play (PnP) tape backup devices. All computer hardware
on the network is PnP-compliant. You have successfully installed one device on a server named ServerA.
When you attempt to install another of the devices on a server named ServerB, you receive an error
message. You must be able to install the tape backup device on any server throughout the network.

Configure a domain-level policy to allow the installation of unsigned device drivers.
Use the Add Hardware wizard to install the device.
Download the latest version of the device driver from the manufacturer's Web site.
Modify software restriction policies in the domain.
Answer:
Configure a domain-level policy to allow the installation of unsigned device
drivers.
Explanation:
For a device to function properly, an appropriate device driver must be installed. Installing an unknown
program may present a security risk. Therefore, it has become common for software developers to digitally
sign their programs, including device drivers, as a proof that those programs have not been tampered with.
Depending on the driver signing options that are in effect on a computer, installation of an unsigned driver can
be allowed, blocked or allowed after a warning is displayed that informs you that the driver you are installing
does not have a digital signature. The unsigned driver installation options can be configured on each
computer locally or through Group Policy. Group Policy settings override the corresponding locally configured
settings.
In this scenario, you have successfully installed a tape backup device on one server, but failed to install an
identical device on another server. Based on the presented choices, it appears that the driver for the tape
backup device is not digitally signed; ServerA is probably configured to allow unsigned drivers to be installed,
whereas ServerB is configured to block their installation. To ensure that you can install the device on any
server in the domain, you should configure the appropriate domain-level driver installation policy. In Default
Domain Policy or another domain-level Group Policy object (GPO), you should navigate to the Computer
Configuration/Windows Settings/Local Policies/Security Options node in the left pane, double-click
Devices: Unsigned driver installation behavior in the right pane, select Define this policy setting , and
select the appropriate setting from the drop-down list box. You can select Silently succeed to allow unsigned
drivers to be installed unconditionally, or you can select Warn but allow installation to be issued a warning
that the driver about to be installed is unsigned before you can proceed with an installation. The third available
option is Do not allow installation.
Windows Server 2003 supports the PnP standard, and all computers in this scenario are PnP-compliant.
When you connect a PnP device, it is automatically detected by the system or you can initiate a scan for
hardware changes in Device Manager. If the operating system includes a built-in driver for the device, then
the driver is installed automatically. Otherwise, you are prompted to specify the location where the driver can
be found. The Add Hardware wizard is mostly used to install non-PnP devices, which are not detected by the
system automatically.
You have successfully installed the device on ServerA; hence, the failure to install the same driver on
ServerB cannot be caused by the driver being faulty. Software restriction policies affect the ability of users to
run specified executable files. Generally, device drivers are not implemented through executable files. Even if
a software restriction policy could interfere with unsigned driver installation, a domain-level policy would affect
all computers in the domain.
Página 12 de 54
Página 13 de 54
Item: 8 (Ref:Cert-70-290.2.2.6)
You are a network administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003, and all client computers run Windows XP Professional. As a security
measure, you want your assistant John to periodically review security logs on all servers on the network. You
must assign John the minimum level of authority that is necessary to enable him to view security logs in Event
Viewer on all servers in the domain.

Assign the Allow - Full Control permission for the security log file on each server to John.
Assign the Manage auditing and security logs user right on all servers to John.
Add John's domain user account to the Power Users group on each server.
Add John's domain user account to the Server Operators group on each server.
Answer:
Assign the Manage auditing and security logs user right on all servers to
John.
Explanation:
To be able to view the security log on a Windows Server 2003 computer, John must be assigned the Manage
auditing and security logs user right on that computer. By default, only the local Administrators group has
this right. With this right, John can view the security log regardless of his NTFS permissions for the security
log files. You can assign this right to John in a domain-level Group Policy object (GPO), so that John can view
the security log on any computer in the domain. If you want to restrict John to being able to view the security
log only on servers, you can place all client computers into an organizational unit (OU) and block policy
inheritance on that OU. If there are only a few servers on the network, then you can assign the Manage
auditing and security logs right to John's domain user account in the local security policy on each server.
If you assigned John the Allow - Full Control permission for the security log files, then John would be able to
open them by using Notepad or another similar program. However, event log files are not text-based; to be
presented in a readable form, they should be viewed by using Event Viewer. Power Users is a local group
that exists only on member servers. Server Operators is a built-in domain local group; it exists only on
domain controllers. Membership in either of these groups is not sufficient to enable John to view security logs.
Página 14 de 54
Item: 9 (Ref:Cert-70-290.2.2.7)
Directory domain. All servers run Windows Server 2003. Ten servers are configured as application severs. A
written company security policy requires that all application servers be subject to certain security restrictions.
You configure the local security policy on an application server named AppSrv1 in accordance with the
company's requirements. Now, you must apply the same security settings to all of the application servers with
the least administrative effort. You export the security configuration on AppSrv1 to a security template.
Which of the following should you do next?

Create a security group, and add the application servers to the group. Import the template into the
Default Domain Policy GPO, and assign the Allow - Read permission for the GPO to the group.
Create an OU, and place the application servers into the OU. Create a GPO, import the template into the
GPO, and link the GPO to the OU.
Copy the template to the SYSVOL folder on each application server.
Create a security group, and add the application servers to the group. Create an OU, and place the
group into the OU. Create a GPO, import the template into the GPO, and link the GPO to the OU. Assign
the Allow - Apply Group Policy permission for the GPO to the group.
Answer:
Create an OU, and place the application servers into the OU. Create a GPO,
import the template into the GPO, and link the GPO to the OU.
Explanation:
The recommended way of applying consistent settings to multiple computers is to place the computers into an
organizational unit (OU), link a Group Policy object (GPO) to the OU, and configure the GPO with the
appropriate settings. A security policy is a subset of settings that can be configured in a GPO. Security
settings can be exported from a local security policy of a computer to a text file that is referred to as a security
template. The template can be imported into a GPO or the local policy of another computer. In this scenario,
you should import the template into a GPO and link the GPO to the OU where all the application servers will
be placed.
Default Domain Policy is the default GPO that is linked to the domain. If you imported the template into this
GPO, then those security settings would apply to all domain computers. For a GPO to apply to a computer,
the computer must be assigned the Allow - Read and Allow - Apply Group Policy permissions for the GPO.
By default, the Authenticated Users group, which includes all users and computers in the domain, is
assigned these permissions for all GPOs.
The security settings that are specified in a security template cannot be applied to a computer by copying the
template to the SYSVOL folder on that computer. Additionally, the SYSVOL folder exists only on domain
controllers.
A GPO that is linked to an OU applies directly to user and computer objects in that OU; it does not apply to
group objects. Group objects are not containers; groups do not include user or computer objects that are their
members. If a group resides in an OU, the group's members do not necessarily reside in the same OU. If you
added the application servers to a group and placed the group into an OU, a GPO that is linked to the OU
would not apply to the application servers, unless you placed them into that OU as well.
Página 15 de 54
Item: 10 (Ref:Cert-70-290.2.2.8)
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. Users
in the Sales department often work off site; they carry their portable computers to customer sites. To protect
confidential customer order information, the company's written security policy requires that the sales
employees encrypt customer data on their portable computers. Those users, who work in the office, should
not encrypt data on their desktop computers. You must enforce the company policy.

Place all portable computers of the sales employees into an OU, and link a GPO to the OU. Add a data
recovery agent to the GPO. Remove all data recovery agents from the Default Domain Policy GPO.
Create a security group, and add user accounts of all sales employees to the group. Assign the Allow -
Apply Group Policy permission for the Default Domain Policy GPO only to the group.
Place all portable computers of the sales employees into an OU, and link a new GPO to the OU.
Configure the Default Domain Policy GPO not to allow using EFS.
Place user accounts of all sales employees into an OU, and link a GPO to the OU. Configure the
appropriate IPSec policy in the GPO. Block policy inheritance on the OU.
Answer:
Place all portable computers of the sales employees into an OU, and link a
new GPO to the OU. Configure the Default Domain Policy GPO not to allow
using EFS.
Explanation:
Encrypting File System (EFS) provides a transparent way of encrypting sensitive data on NTFS volumes. The
encryption is performed at the file system level, so no changes are required in any applications to use
encrypted data. To use EFS, a user must be issued a digital certificate. If a certification authority (CA) is
available on the network, EFS requests a certificate from the CA. Otherwise, EFS issues a self-signed
certificate when the user attempts to encrypt a file for the first time. The ability to use EFS is controlled
through Group Policy objects (GPOs). By default, all GPOs, including new GPOs, allow using EFS. To
prevent all users from using EFS, you should disable the Allow users to encrypt files using Encrypting
File System (EFS) option in the Encrypting File System Properties dialog box in the Default Domain
Policy GPO. To enable the sales employees to use EFS on their portable computers, you should create an
organizational unit (OU), place the portable computers into the OU, and link a new GPO to the OU. The
default EFS policy setting in that GPO will override the EFS policy setting in the Default Domain Policy GPO.
A data recovery agent (DRA) is a user who has the authority to decrypt data encrypted by other users. DRAs
can be designated through GPOs. In Windows 2000-based Active Directory, DRAs are mandatory; a GPO
that contains no DRAs effectively disables EFS. In Windows Server 2003-based Active Directory, DRAs are
not mandatory.
By default, a GPO applies to all users and computers within its scope. You can filter the scope of a GPO by
using the Read and Apply Group Policy permissions for the GPO. If you filtered the scope of the Default
Domain Policy GPO so that it applied only to the security group that contained all sales employees' user
accounts, then that GPO would apply only to the sales employees. However, EFS is a computer-specific
policy; it applies only to computers, not to users. Thus, the Default Domain Policy GPO, would not apply to
any computers in the domain, and all client computers, including desktop computers, would be subject only to
their respective local policies, which, by default, enable EFS. The scenario stipulates that EFS be enabled
only on portable computers.
IPSec is a technology that can be used to secure TCP/IP communications; it cannot be used to encrypt data
stored on computers' hard disks.
Página 16 de 54
Item: 11 (Ref:Cert-70-290.3.2.10)
You are a network administrator for your company. The corporate network consists of a single Active
Directory domain. All servers run Windows Server 2003. On a file server named Server1, you create a shared
folder named UserData and configure NTFS and share permissions for it. Several days later, you notice that
some users saved files directly in the UserData folder. You want that all data in this folder be kept only in
subfolders. You cannot remove the files from UserData immediately because doing so would interfere with
users' productivity. You notify all users that no more files can be created directly in UserData, and you instruct
the users who own files in UserData to move those files to the users' respective subfolders. You must modify
permissions for UserData to the Users group in order to prevent users from creating new files in UserData.
You actions must not affect permissions for the existing files and subfolders.
Which of the following should you do? (Select 2 choices. Each correct answer presents part of the solution.)
Assign the Allow - Create Files /Write Data permission.
Assign the Allow - Create Folders /Append Data permission.
Apply the permission to Files only.
Assign the Deny - Create Files /Write Data permission.
Apply the permission to This folder only.
Assign the Deny - Create Folders /Append Data permission.
Answer:
Assign the Deny - Create Files /Write Data permission.
Apply the permission to This folder only.
Explanation:
Users' ability to create new files in a folder is controlled by the Create Files /Write Data permission for that
folder. If this permission is applied to a file rather than to a folder, then it controls the ability to modify that file.
To prevent users from creating new files directly in the UserData folder without affecting any other existing
permissions, you should assign the Deny - Create Files /Write Data permissions to the Users group, and
you should apply this permission only to the UserData folder. You should open the Properties sheet for the
UserData folder, select the Security tab, click Advanced , click Add , specify the local Users group, select
the Deny - Create Files /Write Data check box, and select This folder only from the Apply onto drop-down
list box. If you selected Files only, then users would be prevented from modifying existing files in UserData
and in any of its subfolders, but they would be able to create new files. The Create Folders /Append Data
permission controls the ability to create new subfolders or add data to existing files. You cannot use this
permission to prevent users from creating new files in UserData .
Página 17 de 54
Item: 12 (Ref:Cert-70-290.3.2.11)
Directory domain. All servers run Windows Server 2003. A file server named Server1 contains a shared folder
named UserData. Your company maintains business relationships with a partner company, which also runs a
Windows Server 2003 Active Directory forest. A two-way forest trust exists between the two forests. Users
from the partner company should be allowed to access certain resources in your forest, including shared
folders on Server1. However, they should not be allowed to access the contents of the UserData folder.

Configure forest-wide authentication on the outgoing trust, and deny the Other Organization group
access to the UserData folder.
Create a domain local group named NoUserData, deny this group access to UserData, and add the
Other Organization group to NoUserData.
Configure selective authentication on the outgoing trust, and deny the Other Organization group the
right to authenticate to Server1.
Configure forest-wide authentication on the outgoing trust, and deny each Domain Users group from the
partner's forest access to the UserData folder.
Answer:
Configure forest-wide authentication on the outgoing trust, and deny each
Domain Users group from the partner's forest access to the UserData folder.
Explanation:
In the properties of a forest trust or external trust, you can specify forest-wide or selective authentication. If
forest-wide authentication is set, then users from the trusted forest or domain can authenticate to any server
in your forest. If selective authentication is set, then users from the trusted forest or domain can authenticate
only to the servers that explicitly allow them to authenticate. One of the possible solutions in this scenario is to
select forest-wide authentication and assign the Deny - Full Control NTFS permission for the UserData
folder to each Domain Users group from the partner's forest. Users from the partner's forest will be able to
access those resources in your forest for which they have explicit or implicit permissions.
The Other Organization security identifier (SID) is added to the SID of the user or group from a trusted
domain only if the trust is configured for selective authentication. If you set forest-wide authentication on the
outgoing trust to the partner's forest, then users and groups from the partner's forest would not belong to the
Other Organization group in your forest and you would not be able to prevent them from accessing the
UserData folder by denying access to the Other Organization group. Other Organization is a special group;
you can neither explicitly add members to it nor add it to other groups. If you configured selective
authentication on the outgoing trust to the partner's forest and assigned the Deny - Allow to Authenticate
permission for the Server1 Active Directory object to the Other Organization group, then users from the
partner's forest would not be able to access any resources on Server1.
Página 18 de 54
Item: 13 (Ref:Cert-70-290.3.2.12)
Professional. One of the file servers stores confidential information about the specifications for a new
synthetic fabric that is being designed by the Research and Development department. You create a shared
folder named Fabric and place all documents that are related to the project into that shared folder. You
assign the appropriate share and NTFS permissions for the Fabric folder to the R&D group. Two members of
the R&D group report that they cannot save changes that they have made to a document named Specs.doc
in the Fabric folder from their client computers. You must determine the reason why this is happening.
Use the Effective Permissions tab of the Advanced Security Settings sheet for the Specs.doc file.
Use the Sharing tab of the Properties sheet for the Specs.doc file.
Use the Security tab of the Properties sheet for the Fabric folder.
Use the Sharing tab of the Properties sheet for the Fabric folder.
Answer:
Use the Effective Permissions tab of the Advanced Security Settings sheet
for the Specs.doc file.
Use the Sharing tab of the Properties sheet for the Fabric folder.
Explanation:
To determine why the two members of the R&D group cannot save the changes that they have made to the
Specs.doc file in the Fabric folder, you should review all of those two users' permissions for that file. The
users' ability to access the file over the network is controlled by the explicit and implicit share permissions for
the file's parent shared folder, and by NTFS permissions for the file. A user's explicit permissions are the
permissions that are assigned directly to the user's account. A user's implicit permissions are the permissions
that apply to the user through membership in security groups. If the user is a member of a large number of
groups, then it may not be easy to calculate the user's actual permissions for a specific file. The Effective
Permissions tab of the Advanced Security Settings sheet for the file can provide an approximation of the
user's effective NTFS permissions for that file. Share permissions are not included in the calculation of the
effective permissions. To review the share permissions that govern access to the file, you should review share
permissions for the shared parent folder of the file.
There is no Sharing tab in any file's Properties sheet because files cannot be shared; only folders can. On
the Security tab of the Properties sheet for the Fabric folder, you can review NTFS permissions for that
folder. You can also access the Advanced Security Settings sheet for the folder and review the two user's
effective permissions for the folder. However, NTFS permissions can be assigned at individual file level; thus,
NTFS permissions for the Specs.doc file may not be the same as the NTFS permissions for the Fabric
folder.
Página 19 de 54
Item: 14 (Ref:Cert-70-290.3.2.13)
You are your company's network administrator. The corporate network consists of a single Active Directory
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. The
network contains a file server named Server1, which hosts a shared folder named UserData. Users have
been saving their files to that folder. The new written company policy stipulates that each user be assigned a
personal subfolder in UserData and that all user data be organized in the subfolders. You have created
subfolders for all users in the UserData folder, and you must relocate all files from the UserData folder to the
appropriate subfolders. Your actions must not affect the permissions that are currently assigned to the files.
You want to perform this task with the least administrative effort.

Copy each file to the appropriate subfolder, and delete the original file in the UserData subfolder.
In the Default Domain Policy GPO, configure an advanced folder redirection policy, and filter its scope
so that it applies only to Server1.
Configure a folder redirection policy in the local GPO on Server1.
Move each file from the UserData folder to the appropriate subfolder.
Answer:
Move each file from the UserData folder to the appropriate subfolder.
Explanation:
There are two methods for relocating files: copying and moving. When a file is copied, the original instance of
the file is preserved at its original location, and a new instance of the file is created at the destination location.
If the file's destination is on an NTFS volume, then the new instance of the file inherits its NTFS permissions
from the parent folder at the destination location. When a file is moved between folders that reside on the
same NTFS volume, the file is not physically relocated; only its location pointer is changed to point to the new
destination folder. All other NTFS attributes of the file, including its NTFS permissions and compression status
are retained. A file can be moved only within the same volume. If you attempt to move a file to another
volume, the file will be copied and the original instance of the file will be deleted.
In this scenario, the files must be relocated within the same folder and, hence, within the same volume.
Therefore, you should move the files and, thus, preserve their existing NTFS permissions. If you copied the
files, then each file would inherit its permissions from its respective destination folder. Folder redirection
policies can be used to redirect specific folders from user profiles to network shares. Those policies are user-
specific; they apply to users, not to computers. If you filtered the scope of the Default Domain Policy Group
Policy object (GPO) so that it applied only to Server1, or if you configured folder redirection policies in a local
GPO on Server1, then those policies would apply only to local user accounts on Server1; they would not
apply to domain user accounts. Additionally, the scenario does not indicate that the UserData folder or its
contents are related to user profiles.
Página 20 de 54
Item: 15 (Ref:Cert-70-290.3.2.14)
domain and a single site. All servers run Windows Sever 2003, and all client computers run Windows XP
Professional. The network contains a file server named Server1, which hosts a shared folder named
Projects. Development department employees maintain the documentation about new projects in that folder.
User accounts of all developers are members of the Development group; only that group is assigned
permissions for the Projects folder.
A user named Bob has been transferred to the Development department from another department. Today is
his first day in Development. In the morning, you add Bob's user account to the Development group. Half an
hour later, Bob informs you that he has just attempted to open a file in the Projects folder, but has been
denied access. You must ensure that Bob is provided with access to all the necessary resources.

Force replication between all domain controllers in the domain.
Instruct Bob to log off and then log back on.
Restart Server1.
Assign Bob the Allow - Change share permission for the Projects folder.
Answer:
Instruct Bob to log off and then log back on.
Explanation:
When a user logs on to the domain, an access token is generated for that user. The access token contains
security identifiers (SIDs) of the user account and all groups of which the user is a member. The SIDs in the
access token are compared to the SIDs in security descriptors for the objects that the user attempts to
access. The user is allowed access only if any of the SIDs in the access token match the SIDs in the object's
discretionary access control list (DACL) in the security descriptor. Once issued, an access token is not
updated; it remains in effect until the user logs off. If a user's group membership changes when the user is
logged on, then the change will take effect only at next logon, when the user will be issued a new access
token.
In this scenario, you should instruct Bob to log off and then log back on to the domain so that his membership
in the Development group can take effect. The scenario does not indicate the scope of the Development
group. If it is a local group on Server1, then Active Directory replication between domain controllers is
irrelevant to this group management. If it is a domain group, then it exists in Active Directory and its
membership is propagated among domain controllers through replication. The scenario stipulates that the
network consists of a single Active Directory site. Changes to Active Directory replicate within the same site
almost instantaneously. If Bob logged on when his membership in the Development group was not replicated
to all domain controllers, then forcing immediate replication would not enable Bob to be granted access to the
Projects folder, until he logs off and then logs on in order to be issued a new access token. It is unnecessary
to restart Server1 because performing this action would not cause a new access token to be generated for
Bob. The scenario does not indicate that any member of the Development group, except Bob, cannot access
the Projects folder. Thus, most likely, the Development group is assigned all the necessary share and NTFS
permissions for the Project folder. Therefore, you do not need to assign permissions for it to Bob's user
account.
Página 21 de 54
Item: 16 (Ref:Cert-70-290.3.2.15)
domain. All servers run Windows Server 2003. Client computers run Windows XP Professional, Windows
2000 Professional or Windows NT 4.0 Workstation. You install a line-of-business application on 10 servers
and you also install Terminal Server on those computers to enable users to run the application on the servers.
To ensure proper performance of the terminal servers, you must configure certain session and time-out
settings that will affect all terminal server users. You want to perform this task with the least amount of
administrative effort.

Configure the necessary settings in the properties for the RDP-Tcp connection on each terminal server.
Place all client computers into an OU, configure the necessary settings in a GPO, and link the GPO to
the OU.
Place all terminal servers into an OU, configure the necessary settings in a GPO, and link the GPO to
the OU.
In Active Directory Users and Computers, select the user accounts of all terminal server users and
configure the necessary settings in the properties for the selection.
Answer:
Place all terminal servers into an OU, configure the necessary settings in a
GPO, and link the GPO to the OU.
Explanation:
Terminal Services session and time-out limits can be configured at two levels: per terminal server and per
user account. Correspondingly, you can configure those settings in a Group Policy object (GPO). If you
configure those settings in the Computer Configuration section of a GPO, then you should apply the GPO to
terminal servers. If you configure those settings in the User Configuration section, then you should apply the
GPO to users. To apply a GPO to targeted computers or users, you should place the computers or users,
respectively, into an organizational unit (OU) and link the GPO to the OU.
In this scenario, you should configure the appropriate terminal server policies in the Computer Configuration
section of a GPO and link it to an OU that contains the 10 terminal servers. Configuring each terminal server
individually would require more effort than configuring the necessary settings in a GPO only once. The GPO
should be applied to the terminal servers, not to client computers that connect to the terminal servers. In
Windows Server 2003, you can select multiple user accounts in Active Directory Users and Computers, right-
click the selection, select Properties and configure the same settings for all selected accounts. However, only
a subset of user account properties can be configured in this manner; particularly, the Sessions tab of the
user account's Properties sheet is not included in the Properties sheet for a selection of multiple user
accounts.
Página 22 de 54
Item: 17 (Ref:Cert-70-290.3.2.16)
domain. All servers run Windows Server 2003. Client computers run Windows XP Professional, Windows
2000 Professional or Windows NT 4.0. You install a line-of-business application on a terminal server named
TS1. The application is used to process customer data that sales representatives store on their client
computers. You must ensure that the application on TS1 can access the customer data files on client
computers' local hard disks when users run the application through a terminal server session.

Share the local hard disks on the client computers.
Configure client hard disk redirection in a GPO, and apply the GPO to terminal server users.
Share the hard disks on TS1.
In the RDP-Tcp connection's properties, enable the option to connect client drives at logon.
Answer:
In the RDP-Tcp connection's properties, enable the option to connect client
drives at logon.
Explanation:
To enable all users to run the application on TS1, you should deploy Remote Desktop Connection (RDC) to
all client computers. RDC is the new version of Terminal Server client software. It is automatically installed
only on computers that run Windows XP. To support Windows 2000 and Windows NT 4.0 users, you should
place the Terminal Services Client MSI Setup package to a network share and instruct Windows 2000 and
Windows NT 4.0 users to install it on their client computers. The package is available on a Windows XP
installation CD ROM.
To enable terminal server users to access their local hard disks through Terminal Server sessions, you should
disable Use connection settings from user settings and then enable Connect client drives at logon on
the Client Settings tab of the RDP-Tcp Properties sheet. When a user connects to TS1, the local hard disks
on the user's client computer will appear in Windows Explorer in the terminal server session, and the line-of-
business application that the user will run on TS1 will be able to access data on the local hard disks on the
client computer.
You do not need to share the hard disks on client computers to make them accessible from within terminal
server sessions. Unnecessarily sharing local hard disks would make the network environment less secure. In
a Group Policy object (GPO), client hard disk redirection can be configured only in the Computer
Configuration section; computer-specific policies apply to computers, not to users. Thus, if you configured
client hard disk redirection in a GPO that targeted users, then that policy would have no effect. Additionally,
client/server redirection policies are intended to be applied to terminal servers, not to client computers. The
application on TS1 requires access to hard disks on client computers; therefore, sharing hard disks on TS1
would be irrelevant to the task in this scenario.
Página 23 de 54
Item: 18 (Ref:Cert-70-290.3.2.17)
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional.
Software developers test a server application on several servers, which are configured to allow Remote
Desktop connections. The developers need to be able to upload code updates from their client computers to
the servers. You must ensure that each developer can access hard disks on any of the servers and the local
hard disks on his or her client computer simultaneously from within a Remote Desktop connection to the
server.

Configure a GPO to enable Remote Desktop, and apply the GPO to the developers' client computers.
Instruct the developers to configure the local hard disk redirection in Remote Desktop connection
properties on their client computers.
Assign the Log on locally user right to the developers in a GPO, and apply the GPO to the developers'
client computers.
Assign the Log on locally user right to the developers in a GPO, and apply the GPO to the developers'
user accounts.
Answer:
Instruct the developers to configure the local hard disk redirection in Remote
Desktop connection properties on their client computers.
Explanation:
Windows Server 2003 supports Remote Desktop connections by default, without the Terminal Server software
installed. The Remote Desktop feature allows up to two remote sessions, which can be used to remotely
manage a server or perform other tasks, such as running or testing applications. To enable a server to accept
Remote Desktop connections, an administrator should select Allow users to connect remotely to this
computer on the Remote tab of the System Properties sheet on the server. This feature can also be
enabled by using a Group Policy object (GPO); however, that GPO should be applied to terminal servers, not
to client computers.
When a user is logged on to a server through a Remote Desktop connection, the user experience is similar to
a local session on the server. The remote user can manipulate all server resources as if the user were logged
on interactively at the server's console. To be able to copy files between the server's hard disks and the local
hard disks on the client computer, the client computer's hard disks can be made available to the Remote
Desktop session. In this scenario, each developer can select Disk drives on the Local Resources tab in the
Remote Desktop Connection object on his or her client computer.
Alternatively, this setting can be configured in the RDP-Tcp connection's properties on each server, in a
computer-specific policy or in a user-specific policy in a GPO, or on the Environment tab of a user account's
Properties sheet.
By default, all users can log on locally to client computers. You do not need to specifically assign this right to
the developers for their client computers. The Log on locally user right is a computer-specific policy; it can be
applied only to computers, not to users. Additionally, this right is not related to the local hard disk redirection.
Página 24 de 54
Item: 19 (Ref:Cert-70-290.3.2.18)
domain. All servers run Windows Server 2003. There are approximately 1,000 client computers on the
network; 650 of them run Windows NT 4.0, 200 run Windows 2000 Professional, and 150 run Windows XP
Professional. For each department, an organizational unit (OU) exists that contains the corresponding users
and their client computers. Several terminal servers provide applications to users. All terminal servers host the
same applications, which are specific to departments. In each department, all users run the same application.
Any user can run the corresponding application on any of the terminal servers. You must ensure that each
time a user logs on to a terminal server, the corresponding application starts automatically. You want to
accomplish this task with the least amount of administrative effort.

For each department, configure the appropriate user policy in a GPO, and link the GPO to the
departmental OU.
Configure the appropriate environment settings in each user account's properties.
For each department, configure the appropriate computer policy in a GPO, and link the GPO to the
departmental OU.
Place all terminal servers into an OU, configure the appropriate computer policies in a GPO, and link the
GPO to the OU.
Answer:
For each department, configure the appropriate user policy in a GPO, and
link the GPO to the departmental OU.
Explanation:
You can specify a startup program for terminal server users in RDP-Tcp properties on each terminal server, in
each user account's properties, in a computer policy in a Group Policy object (GPO), in a user policy in a
GPO, and each user's Remote Desktop connection properties. In this scenario, for each department, you
should create a GPO, specify the appropriate application in the Start a program on connection policy in the
User Configuration/Administrative Templates/Windows Components/Terminal Services path in the
GPO namespace, and link the GPO to the departmental OU. Although Windows NT 4.0 does not support
GPOs, the GPOs will be applied to the users' terminal server sessions, not to their client computer sessions.
When a user starts a terminal server session, the user is considered as being logged on locally to the terminal
server. Therefore, user-specific policies in the GPOs that target the user are applied to the user.
If you specified an application in the Start a program on connection policy in a GPO at the Computer
Configuration/Administrative Templates/Windows Components/Terminal Services path and applied the
GPO to a departmental OU, then the policy would take effect only if users started terminal server sessions on
the departmental client computers. However, in this scenario, users run terminal server sessions on terminal
servers, not on each other's client computers. Additionally, this policy would apply only to Windows XP
Professional client computers. Windows 2000 does not support this policy, and Windows NT 4.0 does not
support any GPOs.
In RDP-Tcp properties on a terminal server, you can specify only one application for all users. However, each
terminal server in this scenario hosts applications for several departments, and users from any department
can use any terminal server. Thus, you cannot implement the requisite configuration by using RDP-Tcp
properties on any of the terminal servers. Consequently, you cannot implement that configuration by applying
a single GPO to all terminal servers. You can specify the appropriate application on the Environment tab of
each user account's Properties sheet. However, configuring 1,000 user accounts would require substantial
administrative effort.
Página 25 de 54
Item: 20 (Ref:Cert-70-290.3.2.34)
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. You
install Terminal Server on a computer named TS1. To ensure proper performance of TS1, you want to
prevent users from unnecessarily tying up its resources. If a user disconnects from a session and does not
reconnect to it within five minutes, the session should be terminated. If a user connects to TS1 and does not
perform any activity during 15 minutes, then that user should be disconnected from the session. Only those
users who are actively using their sessions should not be affected. You must configure the appropriate
settings in the RDP-Tcp connection's properties.
Explanation:
The settings for Terminal Server sessions can be configured either for each user individually in the user
account's properties or for all users in the properties for the RDP-Tcp connection in the Terminal Services
Configuration console. The RDP-Tcp settings override individual user settings. Thus, you should first select
the two Override user settings check boxes in order to be able to configure the appropriate session settings
for all TS1 users simultaneously. To meet the requirements of this scenario, you should specify that
disconnected sessions be ended five minutes after the disconnection, that active sessions never expire, that
idle sessions expire after 15 minutes of inactivity, and that the sessions that have reached their limits should
be disconnected.
A session becomes disconnected if a user clicks the Close button in the upper right corner of the Remote
Desktop window without logging off first. A disconnected session continues to run on the terminal server and
consume its resources. In this scenario, if a user does not perform any activity on TS1 for 15 minutes, the
user's session will be automatically disconnected. If the user does not log on to that disconnected session
within five minutes after it was disconnected, the session will be automatically terminated.
Página 26 de 54
Página 27 de 54
Item: 21 (Ref:Cert-70-290.3.2.9)
Directory domain. All servers run Windows Server 2003. On a file server named Server1, you create a shared
folder named UserData. Users should be able to create subfolders in this folder and save files only to their
respective subfolders. Users should be able to assign permissions only for their own respective files and
subfolders.
Assign the Allow - Modify permission for UserData to the Users group.
Assign the Allow - Create Folders /Append Data permission for UserData to the Users group.
Assign the Allow - Full Control permission for subfolders and files to the Users group.
Assign the Allow - Full Control permission for subfolders and files to the Creator Owner group.
Assign the Allow - Full Control permission for subfolders and files to the Network group.
Answer:
Assign the Allow - Create Folders /Append Data permission for UserData to
the Users group.
Assign the Allow - Full Control permission for subfolders and files to the
Creator Owner group.
Explanation:
To be able to create subfolders in UserData by using graphic tools, such as Windows Explorer, users should
be able to view the contents of the UserData folder. Therefore, you should grant some level of read access
for the UserData folder. For example, you can assign the Allow - Read & Execute permission for UserData
to the Users group. This permission will allow users to view the contents of all subfolders and files in
UserData. Subsequently, each user can modify permissions for his or her subfolder in order to assign other
users a desired level of access to that subfolder. Alternatively, you can assign only the Allow - List
Folder /Read Data permission to the Users group and set the scope of the permission to This folder only in
the Apply onto drop-down list box. Users will then be able only to view the names of other users' subfolders
without being able to view the contents of those subfolders.
To enable users to create subfolders in UserData, you should assign the Allow - Create Folders /Append
Data permission and set its scope to This folder only. To allow users to assign permissions for their own
subfolders to other users, you should assign the Creator Owner group the Allow - Full Control permission
and set its scope to Subfolders and files only. Users will be able to create only subfolders in UserData; they
will not be able to create files directly in UserData. When a user creates a subfolder in UserData, that user
will become the owner of that subfolder and will be able to create files and child subfolders in his or her
subfolder. Note that, additionally, you should assign the Allow - Full Control share permission for UserData
to the Users group in order to enable users to control NTFS permissions for their subfolders and files over the
network.
If you assigned the Allow - Modify permission for UserData to the Users group, then users would be able to
view, create, change, and delete all files and subfolders in UserData. If you assigned the Allow - Full Control
permission for subfolders and files to the Users group, then all users would have full control of all other users'
subfolders and files. If you assigned the Allow - Full Control permission for subfolders and files to the
Network group, then all users who access shared data on Server1 remotely would have full control of all
other users' subfolders and files.
Página 28 de 54
Item: 22 (Ref:Cert-70-290.4.2.1)
domain and several sites. All servers run Windows Server 2003, and all client computers run Windows XP
Professional. A separate site is configured for the central office and for each branch office. Each branch office
is connected to the central office through a private WAN link. Each site has a separate Internet connection
through a local ISP. One server in each site is configured as a Software Update Services (SUS) server. You
want to minimize the WAN bandwidth related to the downloading and deployment of updates.

Configure the SUS servers in all branch offices to download updates from the SUS server in the central
office.
Configure each SUS server to refer clients to the Windows Update Web site.
Configure the SUS servers in all branch offices to refer clients to the SUS server in the central office.
Configure each SUS server to download only the locales that are required on your network.
Answer:
Configure each SUS server to download only the locales that are required on
your network.
Explanation:
A SUS server can be configured to download two types of content: the update metadata and the actual
updates. If only the metadata file is downloaded to a SUS server, then clients should be referred to download
the updates either from the Windows Update Web site on the Internet or from another SUS server. To
conserve the WAN bandwidth in this scenario, you should configure each SUS servers to download updates
only for the locales that are used on your company's network, and to host the updates locally. By selecting
just one or two locales, you can decrease the amount of the initial synchronization of the SUS servers by
several times. By storing the updates locally on each SUS server and configuring clients to download updates
only from the SUS servers in the clients' respective local sites, you will prevent the updates from being
transmitted through the inter-office WAN links or through the Internet connection for each client.
Regardless of whether each SUS server downloads all the updates from the Internet or from another SUS
server on the network, the total amount of data that will be transmitted through all of the WAN links to the SUS
servers will remain the same.
Página 29 de 54
Item: 23 (Ref:Cert-70-290.4.2.10)
You are your company's network administrator. The company's network consists of a single Active Directory
want to manage the domain from your workstation. However, when you open the Administrative Tools folder
on the Start menu on your client computer, you notice that the Active Directory Users and Computers console
is not present. You must install Active Directory Users and Computers on your client computer.

At the command prompt on your computer, type dsa.msc.
From the Run dialog box on the Start menu on your computer, execute the mmc command, and add the
Active Directory Users and Computers snap-in.
In Windows Explorer on your computer, navigate to the C:\Windows\system32\dsa.msc file on a
domain controller, and double-click it.
In Windows Explorer on your client computer, navigate to the C:\Windows\system32\adminpak.msi file
on a domain controller, and double-click it.
Answer:
In Windows Explorer on your client computer, navigate to the
C:\Windows\system32\adminpak.msi file on a domain controller, and double-
click it.
Explanation:
To administer the domain from your workstation, you can either install Windows Server 2003 administrative
tools on your computer or enable Remote Desktop on domain controllers and connect to them remotely. In
this scenario, you are required to install the administrative tools. They are provided in the adminpak.msi file,
which, by default, is available in the C:\Windows\system32 folder on any Windows Server 2003 computer on
your network. If the C drive is not shared on any servers, then you can connect to the administrative share,
C$, navigate to the \Windows\system32\adminpak.msi file, and invoke the installation of the package by
double-clicking it. The Active Directory Users and Computers console will be installed on your computer along
with all other administrative tools.
The dsa.msc command can be used to open the Active Directory Users and Computers console only on the
computers on which this console is installed. By executing the mmc command from the Run dialog box, you
can open a blank Microsoft Management Console (MMC) on your computer. However, the Active Directory
Users and Computers snap-in is not available on Windows XP computers by default. Thus, you would not be
able to add it to the MMC. You cannot run Active Directory Users and Computers on your client computer by
double-clicking the dsa.msc file that resides on a remote computer.
Página 30 de 54
Item: 24 (Ref:Cert-70-290.4.2.11)
company's written security policy stipulates that only authorized VBScript files be allowed to run on any client
computers. Currently, the only authorized script is named Admin.vbs, and it is located in a shared folder
named AdminTools on a file server named Server1. The Admin.vbs file is a framework for computer
administration scripts. There are several script modules that are intended for performing different tasks. Each
time before using the Admin.vbs file, you modify it to enable the appropriate module, depending on the task
that you need to perform. You must configure the appropriate software restriction policy to enforce the written
security policy.
Which of the following should you do? (Select 2 choices. Each correct answer presents part of the solution).
Digitally sign all .vbs files; create a certificate rule with the Restricted security level.
Create a path rule for \\Server1\AdminTools\Admin.vbs; set the security level to Unrestricted.
Create a hash rule with the Disallowed security level for all .vbs files.
Create a certificate rule with the Disallowed security level for the Admin.vbs file.
Create a path rule for *.vbs; set the security level to Disallowed.
Answer:
Create a path rule for \\Server1\AdminTools\Admin.vbs; set the security level
to Unrestricted.
Explanation:
Software restriction policies prevent users from running unauthorized programs. Software restrictions are
defined by a default security level and additional rules, which stipulate exceptions to the default security level.
By default, the default security level is set to Unrestricted, which allows to run all programs. To prevent
all .vbs files from being run, you should create a path rule, set its security level to Disallowed and specify the
*.vbs path. When multiple rules of the same type apply to the same files, more specific rules override less
specific rules. Thus, to override the previous rule in relation to the Admin.vbs file, you should create another
path rule that targets only the Admin.vbs file, and you should set the security level on that rule to
Unrestricted.
It would be impractical to digitally sign all .vbs files in order to prevent them from being run. You would have
to detect and sign each new .vbs file that appears on the network. Additionally, a security level can be set to
either Unrestricted or Disallowed; Restricted is not a valid security level setting. Similarly, it would be
impractical to use a hash rule in order to restrict all .vbs files from being run because you would have to
explicitly include each new .vbs file in the rule. Whenever any of the .vbs files changed, you would have to
recalculate its hash; otherwise, the hash rule would no longer apply to the changed file.
If you created a certificate rule for the Admin.vbs file, then, for the rule to always remain in effect, you would
have to sign the file each time it was changed. Additionally, to comply with the written security policy, the
security level on this rule would have to be set to Unrestricted, not Disallowed.
Página 31 de 54
Item: 25 (Ref:Cert-70-290.4.2.12)
company's written security policy stipulates that only authorized VBScript files are allowed to run on any client
computers. The scripts that are currently authorized are located on different computers throughout the
network. You must configure the appropriate software restriction policy to comply with the written security
policy. Once your solution is implemented, you should not have to reconfigure the policy each time that a
new .vbs file is authorized for use. You set the default security level to Unrestricted.
Which of the following should you do next? (Select 2 choices. Each correct answer presents part of the
solution).
Create a hash rule for the authorized .vbs files; set the security level to Unrestricted.
Digitally sign each authorized .vbs file, and create a certificate rule with the Unrestricted security level.
Create an Internet zone rule for the Intranet zone; set the security level to Unrestricted.
Create an Internet zone rule for the Restricted sites zone; set the security level to Disallowed.
Answer:
Digitally sign each authorized .vbs file, and create a certificate rule with the
Unrestricted security level.
Explanation:
Software restriction rules specify exceptions to the default security level. There are four types of rules. If
multiple rules apply to the same file, then hash rules have the highest priority. Next, certificate rules override
path rules, which, in turn, override Internet zone rules. If multiple rules of the same type target the same file,
then more specific rules override more general ones. In this scenario, the general rule is that .vbs files are
restricted. To enforce this rule, you should create a path rule, specify the path as *.vbs and set the security
level to Disallowed. Additionally, you should create a certificate rule with the Unrestricted security level. The
rule should specify your digital certificate. To authorize a .vbs file, you should digitally sign it. Certificate rules
have a higher priority than path rules; therefore, the authorized files will be allowed to run, and all the
other .vbs files will not. Note that for certificate rules to take effect, you must configure a Group Policy object
(GPO) to enable the security option that turns certificate rules on.
If, instead of a certificate rule, you created a hash rule for authorized files, then you would have to list
each .vbs file in the policy, and you would have to modify the rule each time that an authorized file was added
or changed. Although with a certificate rule, you will have to sign each new authorized .vbs file and to reapply
a digital signature to an authorized file after it is changed, you will not have to change the certificate rule. The
rule lists only your certificate; it does not list the authorized files.
You cannot use Internet zone rules in this scenario because they apply only to Windows Installer .msi files.
Página 32 de 54
Item: 26 (Ref:Cert-70-290.4.2.13)
Your company's network consists of a single Active Directory domain. All servers run Windows Server 2003,
and all client computers run Windows XP Professional. A terminal server named TS1 exists on the network.
Users should be allowed to run only authorized applications on TS1. Currently, only two applications on TS1
are authorized; one is installed in the C:\Program Files\App1 folder, and the other is installed in the
C:\Program Files\App2 folder. Both applications contain many executable files, which are frequently
updated. You must configure the appropriate software restriction policies.
Which of the following should you do? (Select 2 choices. Each correct answer presents part of the solution).
Configure a GPO that applies to all client computers.
Create two path rules.
Configure a GPO that applies to TS1.
Create one path rule.
Answer:
Create two path rules.
Configure a GPO that applies to TS1.
Explanation:
Software restrictions are implemented through Group Policy objects (GPOs) that can apply to either
computers or users. In this scenario, users will run applications on the terminal server; therefore, you should
configure a GPO that applies to TS1. That GPO will affect all users who log on to TS1 locally or through
Remote Desktop connections. The authorized applications reside in specific folders; therefore, they can be
easily targeted with path rules. You should set the default security level to Disallowed in order to prevent
users from running any applications, except the ones that are specified in additional rules. For each
authorized application, you should create a separate path rule, specify the path to the folder where the
application is installed, and set the security level in the rule to Unrestricted. Only one path can be specified in
each path rule. Thus, you should create two path rules in this scenario. Those rules will apply to all executable
files in the specified folders, and the path rules will not be affected when files are updated.
If you configured restrictions in a GPO that applied to client computers, then the restrictions would apply to the
programs that were attempted to run on those computers. If you configured hash rules instead of path rules,
then you would have to create a separate rule for each executable file. Each time that an executable file was
changed, you would have to change the corresponding rule. If you created certificate rules, then you would
have to digitally sign all of the authorized executable files. Each time that any of the signed files was updated,
you would have to reapply a signature to that file. Internet zone rules are not applicable in this scenario
because they apply only to Windows Installer .msi packages.
Página 33 de 54
Item: 27 (Ref:Cert-70-290.4.2.14)
Professional. A file server named Server1 contains a shared folder named Share1. One day, some users
report that they cannot access any files in Share1, while other users do not experience this problem. You try
to connect to Share1 from your workstation, but your attempt is unsuccessful. Then, you try to access data in
Share1 through a Remote Desktop connection to Server1, and you can view, open and modify files in
Share1. You must ensure that all users can access data in Share1.

Assign the Allow - Modify NTFS permission for Share1 to the Users group.
Assign the Allow - Change share permission for Share1 to the Users group.
Replace the 10-Mbps network adapter on Server1 with a 100-Mbps adapter.
Add client access licenses to Server1.
Answer:
Add client access licenses to Server1.
Explanation:
Each shared folder can be configured to allow a specific number of connections. If the number of connections
that are allowed for Share1 has been reached, no new connections will be allowed until one of the connected
users disconnects from the share. The fact that you have failed to connect to Share1 by using the SMB
protocol, but have successfully connected through a Remote Desktop connection indicates that Server1 does
not allow access to data in Share1 through the share, but allows access locally. It appears that the maximum
number of allowed connections to Share1 has been reached. To address the problem, you should consider
purchasing additional client access licenses and adding them to Server1. After that, you can increase the
number of allowed connections to Share1.
The scenario indicates that only some users cannot connect to Share1; thus, the problem cannot be caused
by a lack of share or NTFS permissions for Share1 that are assigned to the Users group. If network
bandwidth on your corporate LAN were insufficient to support the current number of users, then all users
would report slow access across the network; however, authorized users would not be denied access to the
data for which they are assigned the appropriate permissions.
Página 34 de 54
Item: 28 (Ref:Cert-70-290.4.2.2)
domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. A
computer named SUS1 is configured as a Software Update Services (SUS) server. When you analyze a
representative client computer, you notice that several updates have not been installed. You verify that those
updates are available on SUS1. Other updates, including more recent ones, have been downloaded and
installed on client computers successfully. You must ensure that all the necessary updates are downloaded
and installed on all client computers.

On SUS1, approve the updates that have not been installed.
On each client computer, enable Automatic Updates in System Properties.
Place all client computers into an OU, enable the Configure Automatic Updates policy in a GPO, and
link the GPO to the OU.
Configure SUS1 to refer clients to download the updates from the Windows Update Web site.
Answer:
On SUS1, approve the updates that have not been installed.
Explanation:
One of the advantages of using a local SUS server for deploying security updates is the ability of an
administrator to approve updates. An administrator can first test all the available updates on the appropriate
computers in a lab and then approve only those updates that do not cause any problems or conflicts with
other software. Automatic Updates clients can download only the approved updates from the SUS server. It
appears in this scenario that several updates have been accidentally skipped during the approval process. To
correct the problem, you should approve the skipped updates. Clients will automatically download them and
install in accordance with their Automatic Updates settings.
If Automatic Updates were not enabled on client computers, either in each computer's System Properties or
through a Group Policy object (GPO), then none of the available updates would have been installed.
However, the scenario states that all updates, except a few skipped ones, have been successfully installed on
the client computers. Even if you changed the configuration of SUS1 to refer clients to the Windows Update
Web site, the clients that are configured to use SUS1 for updates would download only those updates that
have been approved on SUS1.
Página 35 de 54
Item: 29 (Ref:Cert-70-290.4.2.3)
computer named SUS1 is configured as a Software Update Services (SUS) server from which client
computers download security updates. You examine several client computers and discover that several
critical updates have not been installed. Your further investigation reveals that those updates have not been
installed on any client computers, and that other updates, including more recent ones, have been installed.
You must determine the reason why some of the updates have not been installed on client computers.

Run Microsoft Baseline Security Analyzer on SUS1.
Review the synchronization and approval logs on SUS1.
Configure all client computers to download updates from SUS1.
Review update statistics on SUS1.
Answer:
Explanation:
A SUS server can download updates from Microsoft's Windows Update Web site or from another SUS server.
The information about downloaded updates is recorded in the synchronization log on the SUS server. This log
is stored in the file named History-Sync.xml that is located in the AutoUpdate\Administration subfolder in
the folder where the SUS Web site resides. For the downloaded updates to be made available to Automatic
Updates clients, an administrator must approve the appropriate updates. The information about the approvals
is recorded in the approval log on the SUS server. This log is located in the file named History-Approve.xml
that is located in the same folder as the synchronization log.
The most likely reason why some updates have not been installed on client computers in this scenario is that
those updates have not been either downloaded to SUS1 or approved. To determine which updates have
been downloaded to SUS1 from the Windows Update site, you should review the synchronization log, and to
determine which of those updates have been approved, you should review the approval log.
Microsoft Baseline Security Analyzer (MBSA) is a tool that can be used to determine whether the
configuration of a computer meets certain security standards. Among other things, MBSA can check which
critical security updates are missing from the computer. Most likely, running MBSA on SUS1 would not
provide you with any information that might be useful to identify the reason why some security updates have
not been installed on client computers. All client computers are already configured to download updates from
SUS1; otherwise, they would not have the most recent updates installed. Update statistics contain the
information about the updates that have been downloaded on each client computer and the success or failure
of the installation of those updates. You do not need to review this information in this scenario because you
have already identified the updates that have not been installed on all client computers.
Página 36 de 54
Item: 30 (Ref:Cert-70-290.4.2.4)
computer named SUS1 is configured as a Software Update Services (SUS) server. All client computers are
configured to download security updates from SUS1. As a routine maintenance procedure, you periodically
examine some client computers. During one of such examinations, you notice that no updates have been
provided during the last several days. You use Internet Explorer on your administrative workstation to access
the SUS Administration Web page on SUS1; however, your attempt is unsuccessful. You must ensure that
client computers can download updates from SUS1.

On SUS1, share the folder where the SUS Web site is located.
Configure SUS1 to refer clients to download updates from the Windows Update Web site.
Restart the World Wide Web Publishing service on SUS1.
Answer:
Restart the World Wide Web Publishing service on SUS1.
Explanation:
SUS is a Web application, and its server side depends on IIS. SUS administration is also implemented as a
Web application. The fact that you cannot access the SUS Administration Web pages on SUS1 indicates that,
most likely, IIS is not running on SUS1. Although merely restarting the World Wide Web Publishing service
might not resolve the problem, performing this action appears to be a reasonable first step in an attempt to
investigate why SUS is not functioning on SUS1.
Automatic Updates clients that are configured to download updates from SUS1 access updates on the SUS
Web site by using HTTP, not SMB. Therefore, the folder where that Web site is located does not need to be
shared. In this scenario, client computers cannot connect to the SUS Web site on SUS1. Therefore, SUS1
cannot refer them to the Windows Update Web site or to another SUS server. For the same reason, you
cannot access the synchronization and approval logs on SUS1 through the SUS Administration Web page.
Although you might be able to access those logs through an administrative SMB share on SUS1, reviewing
those logs would not enable you to restart the SUS Web site.
Página 37 de 54
Item: 31 (Ref:Cert-70-290.4.2.5)
You are your company's network administrator. The company's network consists of a single Active Directory
domain. All servers run Windows Server 2003. A computer named SUS1 is configured as a Software Update
Services (SUS) server. As part of your disaster recovery plan, you must periodically back up the information
that is necessary to recover the SUS contents and configuration in case of a failure.

Use Backup to back up System State and the default Web site content directory.
Use Backup to back up the SUS Administration content directory and System State.
Use IIS Manager to back up the SUS content directory. Then use Backup to back up the IIS metabase.
Use IIS Manager to back up the IIS metabase. Then, use Backup to back up the metabase backup file,
the default Web site content directory, and the SUS content directory.
Answer:
Use IIS Manager to back up the IIS metabase. Then, use Backup to back up
the metabase backup file, the default Web site content directory, and the SUS
content directory.
Explanation:
To be able to completely rebuild a SUS server with the same configuration and content, you should back up
the following data. First, in IIS Manager, you should right-click the Web server, point to All Tasks, and select
Backup/Restore Configuration. The IIS metabase will be backed up into two files in the
C:\Windows\system32\inetsrv\MetaBack folder, provided that the operating system is installed on drive C.
Then, you should use the Backup utility to back up those IIS metabase backup files, the default Web site
content storage directory, which, by default, is located in the C:\Inetpub\wwwroot folder, and the SUS
content storage directory, which, by default, is located in the C:\Inetpub\msus folder.
It is unnecessary to back up the entire System State in this scenario because you do not need to restore the
SUS server's exact identity. It is sufficient to rebuild a member server with the same name and SUS
configuration. Besides the default Web site content storage directory, you should also back up the SUS
content storage directory. It is unnecessary to back up the folder where the contents of the SUSAdmin virtual
directory are located. In IIS Manager, you can back up only the Web site configuration information; you cannot
back up Web site contents.
Página 38 de 54
Item: 32 (Ref:Cert-70-290.4.2.6)
domain. All servers run Windows Server 2003. All servers on the network must be configured in accordance
with the company's written security policy. You suspect that an administrator of the server named ServerA
has accidentally changed the local security policy on that computer. You want to examine the configuration of
ServerA in order to determine which security settings are not in compliance with the written security policy.
Which of the following tools should you use?

Active Directory Users and Computers
Software Update Services
Microsoft Baseline Security Analyzer
Security Configuration and Analysis
Answer:
Security Configuration and Analysis
Explanation:
Security Configuration and Analysis (SCA) is a tool that can be used to compare the existing configuration of
security settings on a computer to the reference settings that are specified in an SCA database. You can
configure a reference computer with the appropriate security settings, export them to a security template file
and then import that template into an SCA database on a computer whose security settings you want to
analyze. SCA will compare the existing and reference settings, and notify you which settings do not match.
You can then modify the computer's configuration to match the settings that are recorded in the SCA
database. In this scenario, you should use SCA to examine the security settings on ServerA and to change
those settings that do not match the ones that are required in accordance with your company's written security
policy.
Active Directory Users and Computers is a tool that is used to manage users, groups, computers and other
resources in a domain. Software Update Services (SUS) is a server application that can be used to download
updates from Microsoft's Windows Update Web site and to make them available to other computers on the
network. Microsoft Baseline Security Analyzer (MBSA) can be used to examine the configuration of a
computer in order to determine whether it meets the recommended level of security for the type of tasks that it
is intended to perform. Particularly, MBSA verifies whether all the necessary operating system updates are
installed on the computer.
Página 39 de 54
Item: 33 (Ref:Cert-70-290.4.2.7)
company's written security policy stipulates the security requirements that each type of server on the network
must meet. Particularly, servers should not run any unnecessary services, and they must have all the latest
security updates installed. You install and configure a file and print server named Server1, and you want to
ensure that Server1 meets those requirements.

Install Microsoft Baseline Security Analyzer on your administrative workstation, and use it to scan
Server1.
Use Security Configuration and Analysis on your administrative workstation to analyze the security
settings on Server1.
Use a Software Update Services server to download and install security updates on Server1.
Use Security Configuration and Analysis on Server1 to analyze its security settings.
Answer:
Install Microsoft Baseline Security Analyzer on your administrative
workstation, and use it to scan Server1.
Explanation:
Microsoft Baseline Security Analyzer (MBSA) is a tool that can be used to analyze various aspects of security
configuration on a specified computer. MBSA can be downloaded from Microsoft's Web site and installed on a
computer that runs Windows 2000 or later. In this scenario, you can install MBSA on your administrative
workstation and use it to scan Server1 for vulnerabilities. The following exhibit presents an example of the
MBSA configuration that you can use in this scenario.
Página 40 de 54
In the Computer name box, you should specify the name of the computer that you want to scan, preceded by
the domain name. The check for Windows vulnerabilities includes the checks for redundant services, shared
folders, file systems, and other possible vulnerabilities that can be caused by an inappropriate operating
system configuration. If you created any local user accounts on Server1, you might also want to check for
weak passwords. If only the default local accounts, Administrator and Guest, exist on Server1, then you
might choose to skip this check. Server1 runs neither IIS nor SQL Server; therefore, you do not need to check
it for the vulnerabilities that can be associated with these two applications. You should check whether all the
necessary security updates are installed on Server1. By default, MBSA will connect to Microsoft's Windows
Update Web site and download the list of the critical security updates that should be installed on the
computer. If there is a Software Update Services (SUS) server on your network, then you should specify the
appropriate URL for that server in the format http://SUS1, where SUS1 is the name of your SUS server.
MBSA will then check Server1 against the list of approved updates on SUS1.
Security Configuration and Analysis (SCA) is a tool that can be used to compare the security policy settings
on a computer with a reference set of settings. If you wanted to perform this analysis, you would run SCA on
Server1. However, the scenario does not require that you check the security policy settings on Server1.
SUS is a Web application that can be used to implement a local source of security updates that is similar to
the one on the Windows Update Web site.
Página 41 de 54
Item: 34 (Ref:Cert-70-290.4.2.8)
are preparing to install a new application on a server named Server1. The documentation for the application
specifies the appropriate system requirements, which include several recent Windows patches and hot fixes.
You want to determine whether the necessary updates are installed on Server1.

Use Security Configuration and Analysis.
Run the wmic qfe command from the command prompt.
Use Microsoft Baseline Security Analyzer.
Run the gpedit.msc command from the command prompt.
Answer:
Run the wmic qfe command from the command prompt.
Explanation:
You can view the list of installed updates in Add or Remove Programs in Control Panel. Alternatively, you can
use the wmic command. Wmic is the command-line interface to Windows Management Instrumentation
(WMI). You can use this command to manage local and remote computers from a command prompt. To
obtain the list of installed updates, you can issue the wmic qfe command.
Microsoft Baseline Security Analyzer (MBSA) is a tool that can be used to scan a computer for vulnerabilities.
One of the checks that MBSA can perform is comparing the list of installed security updates to the list of
critical updates that are available on the Windows Update Web site or to the list of approved updates on a
specified Software Update Services (SUS) server. The updates that are required for the new application that
you are going to install on Server1 may not necessarily be considered critical, and they may not be present
among the approved updates on your corporate SUS servers if any are available on your company's network.
Therefore, using MBSA would not guarantee that the presence of the required updates on Server1 would be
discovered.
Security Configuration and Analysis (SCA) is a tool that can be used to compare the security policy settings
on a computer with a reference set of security policy settings. The gpedit.msc command opens the local
security policy in Group Policy object (GPO) Editor. Neither SCA nor GPO Editor are related to the task of
determining the list of installed operating system updates on a computer.
Página 42 de 54
Item: 35 (Ref:Cert-70-290.4.2.9)
network is connected to the Internet and contains a Software Update Services (SUS) server. Your company
purchases a line-of-business application from a software vendor. The vendor provides the application in the
form of an MSI package. The application must be installed on all client computers on the network. You must
deploy the application.

Specify the MSI package in a Windows Update policy in a GPO.
Place the MSI package in a shared folder on a file server, and instruct users to install the application
from that share.
Specify the MSI package in a Software Installation policy in a GPO.
Place the MSI package on the SUS server and approve it.
Answer:
Specify the MSI package in a Software Installation policy in a GPO.
Explanation:
MSI is the Windows Installer format that is used to present the information that is required for installing an
application. To deploy an application that is provided in the form of an MSI package, you should place the
package in a shared folder on the network and configure an appropriate Group Policy object (GPO). There
are three ways to deploy an MSI package: it can be assigned to computers, assigned to users, or published to
users. In this scenario, the new application must be installed on all client computers. Therefore, you should
assign it to computers. To accomplish this task, you should specify the package in a Software Installation
policy at the Computer Configuration/Software Settings path in the GPO namespace, place all client
computers into an organizational unit (OU), and link the GPO to the OU.
Windows Update policies control the configuration of Automatic Updates client computers. Those policies
pertain to the deployment of the operating system updates through Microsoft's Windows Update Web site or
from a local SUS server. You cannot use a SUS server or Windows Update policies to deploy an MSI
package. If you only placed the MSI package in a shared folder and did not configure a software deployment
policy, then users would be free to decide whether to install the application. However, the scenario stipulates
that the application must be installed on all client computers.
Página 43 de 54
Item: 36 (Ref:Cert-70-290.5.2.1)
Domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. The
network contains a member server named Server1, which hosts user data in shared folders and runs some
applications. Server1 contains two volumes: the operating system and applications are installed on drive C;
drive D contains user data. You must design a disaster recovery plan that will allow you to completely recover
Server1 in case of its failure.
Which of the following should you do? (Select two choices. Each correct answer presents part of the solution.)
Create an emergency repair floppy disk.
Format a floppy disk under Windows Server 2003.
Create an ASR backup.
Install Recovery Console on Server1.
Copy the Boot.ini, Ntdetect.com and Ntldr files to the floppy disk.
Back up drive D.
Answer:
Create an ASR backup.
Back up drive D.
Explanation:
Automated System Recovery (ASR) backup records the hard disk configuration data on a floppy disk, and
records System State and the full copy of the boot volume to a backup medium, such as tape. You can also
back up data to a file on a hard disk and then copy the file to a removable medium, such as a recordable CD
or DVD. A boot volume, or boot partition, is the volume where the operating system files are installed. The
volume on which the Boot.ini, Ntdetect.com, and Ntldr files are installed is referred to as a system volume,
or system partition. This terminology may appear somewhat confusing because the files on a system volume
are referred to as boot files, and the operating system files on a boot volume are referred to as system files.
Typically, both sets of files are installed on the same volume or partition. In this scenario, both the system
volume and the boot volume on Server1 are located on drive C. The ASR backup will record the contents of
the entire drive C. Additionally, you should perform a separate backup of drive D because ASR does not
include user data on volumes other than the boot volume.
An emergency repair disk is used in Windows 2000 and earlier operating systems. In Windows XP and
Windows Server 2003, ASR makes the emergency repair disk functionality redundant. If you formatted a
floppy disk under Windows Server 2003 and copied the Boot.ini, Ntdetect.com, and Ntldr files to it, then the
disk would become bootable and enable you to start Windows Server 2003 if data on the boot volume
survived, but the system volume became corrupted. Such a floppy disk would not enable you to completely
recover Server1 in case of major data corruption. Recovery Console is a command-line tool that can be used
to gain access to an installation of Windows Server 2003 that has become partially non-functional, and to
perform some basic operations, such as copying files and disabling services or drivers. Recovery Console
cannot be used to completely recover a server in case of a major failure or data corruption.
Página 44 de 54
Item: 37 (Ref:Cert-70-290.5.2.10)
network contains a member server named BkpSrv, which is equipped with a locally attached tape drive. You
log on to BkpSrv, open the Backup utility and schedule a backup job that targets a server named FS1. The
job successfully runs for several weeks. Then, your company implements an integrated backup solution from
a third party, and you must delete the scheduled backup job on BkpSrv. You want to accomplish this task
from your workstation. BkpSrv does not allow Remote Desktop connections.
Which of the following tools should you use?

the Backup utility
Scheduled Tasks in Control Panel
the ntbackup command
the schtasks command
Answer:
the schtasks command
Explanation:
To delete the scheduled backup job from BkpSrv remotely, while working on your workstation, you can use
the schtasks command with the /delete switch. This command-line tool can be used to create, modify and
delete scheduled tasks on local and remote computers. Schtasks replaces the at command, which is used in
earlier versions of Windows. Windows Server 2003 also supports the at command for backward compatibility.
You can create, change, and delete scheduled backup jobs on the Schedule Jobs tab in the Backup utility.
To delete the scheduled backup job from BkpSrv, you can log on to BkpSrv, start Backup, select the
Schedule Jobs tab, open the job and click Delete.
Although Schtasks is the command-line version of the Scheduled Tasks feature in Control Panel, the latter
cannot be used to manage scheduled tasks on remote computers. Similarly, the Backup utility on one
computer cannot be used to control Backup utility settings on another computer. The ntbackup command is
the command-line version of the Backup utility. The ntbackup command does not contain parameters that
can be used to manage scheduled backup jobs.
Página 45 de 54
Item: 38 (Ref:Cert-70-290.5.2.2)
network contains a domain controller named DC5, which hosts user profiles and other user data in shared
folders. DC5 contains a single hard disk, which is configured as a single volume, drive C. In accordance with
your disaster recovery plan, you periodically perform an ASR backup on DC5 to a file named ASRdc5.bkf on
removable media. Additionally, you use a third-party file-level backup program to back up user profiles and
user data to a file named UserData.bkf on removable media. The vendor of that program has provided you
with a bootable floppy disk that contains the necessary files that can be used to start a computer and run a
limited version of the backup program in order to restore backups from the removable media.
One day, the hard disk on DC5 fails, and the operating system does not boot. You replace the failed hard
disk. You must restore the full functionality of DC5 with minimum or no loss of data, as soon as possible.
Which of the following should you do first?

Boot DC5 from the ASR floppy disk, restore the ASRdc5.bkf file and then run the third-party backup
program to restore the UserData.bkf file.
Boot DC5 from the floppy disk provided by the backup program vendor, restore data from the
UserData.bkf file and copy the ASRdc5.bkf file to the hard disk.
Boot DC5 from the floppy disk provided by the backup program vendor, restore data from the
ASRdc5.bkf file and then restore data from UserData.bkf file.
Boot DC5 from a Windows Server 2003 installation CD, and initiate ASR to restore the ASRdc5.bkf file.
Answer:
Boot DC5 from a Windows Server 2003 installation CD, and initiate ASR to
restore the ASRdc5.bkf file.
Explanation:
An Automated System Recovery (ASR) backup records System State and the entire boot volume. It also
creates a floppy disk that contains the necessary information to recreate all volumes that have been
damaged. In this scenario, DC5 contains only one hard disk, which is configured as a single volume. Thus, an
ASR backup will back up the system state. To restore DC5, you need to perform only an ASR restore. You
should boot DC5 from a Windows Server 2003 installation CD and press F2 in order to initiate ASR. When
prompted, you should insert the ASR floppy disk. The ASR restore process will install a limited version of the
operating system, which should automatically detect and install the drivers for the CD-ROM or tape drive or
another removable media device that you used to perform backups. Then, data from the ASRdc5.bkf file will
be restored.
After that, you will need to restore the user data from the UserData.bkf file to restore the entire contents of
drive C.
You cannot boot from an ASR floppy disk because it is not bootable. If you booted from the floppy disk
provided by the backup program vendor and restored data from the UserData.bkf file, the computer would
still remain without the operating system. Copying the ASRdc5.bkf file to the hard disk would not install the
operating system and would not make the computer fully functional. Although the ASR backup contains all the
necessary data to restore DC5, you should use the proper ASR restore process to restore data from the
ASRdc5.bkf file. Using the third-party backup program to perform a simple file-level restore from the
ASRdc5.bkf file will most likely fail to restore the full functionality of the domain controller. The scenario does
not indicate whether the .bkf files created by your third-party backup program are fully compatible with
the .bkf files that are created by the Backup utility. Additionally, the ASRdc5.bkf file contains the entire
contents of drive C; therefore, there is no need to restore data from the UserData.bkf file after ASRdc5.bkf
has been restored.
Página 46 de 54
Item: 39 (Ref:Cert-70-290.5.2.3)
network contains a domain controller named DC1, which does not have a floppy drive. As part of your disaster
recovery plan, you must perform an Automated System Recovery (ASR) backup of DC1 three times per week.
In the event of a failure, you must be able to recover DC1 by restoring the latest ASR backup.

Perform an ASR backup on a computer that has a floppy drive, and use the ASR floppy disk from that
computer to perform an ASR restore on DC1.
Run the ASR wizard on DC1 to generate an ASR floppy disk to a shared floppy drive on another
computer.
Perform an ASR backup on DC1; then copy the appropriate files from DC1 to a computer that has a
floppy drive.
During ASR backups on DC1, use a re-writeable CD instead of a floppy disk.
Answer:
Perform an ASR backup on DC1; then copy the appropriate files from DC1 to
a computer that has a floppy drive.
Explanation:
ASR includes two major steps: backup and restore. During an ASR backup, the information that is necessary
to rebuild the volumes on the local hard disks along with other vital hardware-related information is recorded
to the asr.sif and asrpnp.sif files. Those files are copied to the \Windows\repair folder on the boot volume
and to a floppy disk on the local floppy drive if one is available. For an ASR restore to be performed, the
computer must be equipped with a local floppy drive, and floppy disk with those files must be available. In this
scenario, if you do not want to add a floppy drive to DC1 permanently, then you should create an ASR floppy
disk for DC1 on a computer that has a local floppy drive. Immediately after performing an ASR backup on
DC1, you should copy the asr.sif and asrpnp.sif files from DC1 to a computer that has a floppy drive, and
copy those files to a floppy disk. You will have to temporarily install a floppy drive on DC1 in order to be able
to perform an ASR restore on DC1, should its hard disk fail.
Generally, the asr.sif and asrpnp.sif files that have been created on one computer cannot be used to
perform an ASR restore on another computer because those files contain hardware-specific information, such
as the name, size, and signature of each hard disk volume. The ASR wizard can write the asr.sif and
asrpnp.sif files only to a floppy disk on a local floppy drive; it cannot write those files to a writeable CD or a
shared floppy drive on a remote computer.
Página 47 de 54
Item: 40 (Ref:Cert-70-290.5.2.35)
Professional. You periodically perform an ASR backup on all domain controllers. One day, you discover that
Active Directory has been corrupted on a domain controller named DC5. DC5 is still operational, but it can
no longer function properly as a domain controller. You must restore the full functionality of DC5 as soon as
possible.
To perform this task, select the appropriate actions in the left pane and place them in the correct order in the
right pane.
Explanation:
Automated System Recovery (ASR) backup records the hard disk configuration data on a floppy disk, and
records System State and the full copy of the boot volume to a backup medium, such as tape. Instead of tape,
you can back up data to a file on a hard disk and then copy the file to a removable medium, such as a
recordable CD or DVD. In this scenario, you do not need to restore the entire ASR backup because the
scenario states that only the Active Directory database has been corrupted; the scenario does not indicate
that any other functionality has been affected. Therefore, to restore the full functionality of DC5 as a domain
controller, you should restore only its System State from the latest ASR backup.
First, you should restart DC5 in Directory Services Restore Mode. In this mode, a domain controller runs as a
stand-alone server, without initializing Active Directory. After System State has been restored from the latest
ASR backup, you should restart DC5 normally. The latest changes to Active Directory will be automatically
replicated from other domain controllers and bring the Active Directory database on DC5 up to date. You do
not need to perform any other actions in this scenario.
Página 48 de 54
Página 49 de 54
Item: 41 (Ref:Cert-70-290.5.2.4)
network contains a member server named Server1, which has a locally attached tape drive. Server1 hosts
important data. Should Server1 fail, you must be able to completely restore its data to the state it was in on
the day prior to failure. Server1 is extensively used during weekdays; you can back up all of the data on
Server1 only on weekends. You will perform each backup to a separate tape cartridge. You must implement a
backup strategy that will allow you to minimize the restore time.

Perform a normal backup each weekend and perform a differential backup each weekday.
Perform a copy backup each weekend and perform an incremental backup each weekday.
Perform a normal backup each weekend and perform a daily backup each weekday.
Perform a copy backup each weekend and perform a daily backup each weekday.
Answer:
Perform a normal backup each weekend and perform a differential backup
each weekday.
Explanation:
A normal backup records all selected data to a backup medium and resets the Archive attribute on those files.
A copy backup records all selected files, but does not change their Archive attribute. The Archive attribute on
a file is turned on when the file is created or changed. An incremental backup records only those selected files
whose Archive attribute is turned on; after that, the backup resets the Archive attribute on those files. A
differential backup also records only those selected files whose Archive attribute is turned on; however, a
differential backup does not change the Archive attribute on any files. A daily backup records only those
selected files that have been created or changed on the day when the daily backup is performed; a daily
backup does not change the Archive attribute on those files. A typical backup strategy includes infrequent
normal backups, for example, once per week, and frequent differential or incremental backups, for example
once per day. Both incremental and differential backups record only the changes that occurred since the
previous normal or incremental backup. Thus, to minimize the restore time, you should perform weekly normal
backups and daily differential backups. To restore all data after a failure, you will need to restore only two
tapes: the latest normal backup and the latest differential backup.
If you performed daily incremental backups instead of daily differential backups, then you would have to
restore more tapes to fully recover data. First, you would have to restore the latest normal backup, and then
restore each subsequent incremental backup in the same order that they were recorded. Although the amount
of data to be restored is the same with both strategies, restoring from only two tapes will usually take less time
than restoring from up to five tapes.
You should not include copy backups in your strategy because copy backups do not mark backed up files.
Therefore, a copy backup cannot be used as a starting point of a weekly backup cycle. Typically, copy
backups are used in addition to regular normal and differential or incremental backups. For example, you
might want to perform a copy backup before installing a new application or an upgrade patch. Should the
installation result in data corruption, you can restore the data from the copy backup without affecting your
regular backup routine. You should not include daily backups in your strategy because then, as with
incremental backups, you would not minimize the restore time.
Página 50 de 54
Item: 42 (Ref:Cert-70-290.5.2.6)
Domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. A
member server named BkpSrv contains a locally attached tape drive. From your workstation, you log on to
BkpSrv through a Remote Desktop connection and run the Backup utility to back up a member server named
Server1. When the backup job completes, you want to review the report to make sure that the backup has
completed successfully.
Which of the following most accurately describes the location of the backup log file?
your user profile
your workstation
Server1
BkpSrV
Answer:
your user profile
Explanation:
The Backup utility saves the backup log in the user profile of the user who performed a backup. Depending on
the configuration of a user account and a logon method, the profile can reside in different locations. In this
scenario, you logged on to BkpSrv through a Remote Desktop connection. If no roaming profile is specified in
your domain user account's properties, then your profile that is used for this session is located on BkpSrv in
the \Documents and Settings\ %username% folder. If a path to a roaming profile is specified on the
Terminal Services Profile tab of your user account's properties, then that profile is used for all your Remote
Desktop sessions. If no profile is specified on the Terminal Services Profile tab, but a path to a roaming
profile is specified on the Profile tab of your user account, then that profile is used each time that you log on
to any computer in the domain interactively or through a Remote Desktop connection. Backup logs are written
to the \Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data subfolder in your user
profile folder.
Página 51 de 54
Item: 43 (Ref:Cert-70-290.5.2.7)
Domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. You
assign your assistant named John to back up several computers on the network. John will perform the
backups from a specially designated computer named BkpSrv, which contains a locally attached tape drive.
Several days later, you decide to review the backup logs.

Log on to BkpSrv locally and start the Backup utility.
Request that John log on to BkpSrv and start the Backup utility.
Log on to your workstation and start the Backup utility.
Log on to BkpSrv through a Remote Desktop connection from your workstation and start the Backup
utility.
Answer:
Request that John log on to BkpSrv and start the Backup utility.
Explanation:
The Backup utility records backup logs to the Local Settings\Application Data\Microsoft\Windows
NT\NTBackup\data subfolder in the user profile folder of the user who performs a backup. Instead of
navigating to this folder in Windows Explorer, a user can view reports by selecting Report from the Tools
menu in the Backup utility. In this scenario, you want to view the reports of the backup jobs that have been
performed by John. If you know the location of his user profile and if you have permissions to access it, then
you can navigate in Windows Explorer to that location on BkpSrv from your workstation or from any other
computer in the domain to which you have access. Otherwise, you should request that John log on to BkpSrv
by using his user account credentials, start the Backup utility, and open the appropriate reports by selecting
Report from the Tools menu. If you logged on to BkpSrv and opened the Backup utility, then, by selecting
Report from the Tools menu, you would be able to view backup reports only for the backup jobs that you had
performed on BkpSrv. If you opened the Backup utility on your workstation, then, by selecting Reports from
the Tools menu, you would be able to view the backup reports for the backup jobs that you had performed on
your workstation.
Página 52 de 54
Item: 44 (Ref:Cert-70-290.5.2.8)
network contains a file server named Server1, which hosts a large amount of user data in shared folders.
Users access files on Server1 extensively at all times. You must back up all user data on Server1 without
causing disruption of user access to their files.

Use the ntbackup command with the / M switch.
Configure Backup to verify data after backup.
Configure Backup to use volume shadow copy.
Use the ntbackup command with the / L switch.
Answer:
Explanation:
The Backup utility in Windows Server 2003 supports a new feature, volume shadow copy, which allows
Backup to back up the files that are currently opened by other applications. Backup uses the Volume Shadow
Copy service to create a snapshot of the files at the moment before the backup starts. Then, Backup records
the files from that snapshot copy without interfering with other users or services that are accessing the
originals of those files. To configure Backup to use volume shadow copy, you should ensure that Disable
volume shadow copy is not selected in the Advanced Backup Options dialog box. By default, this option is
not selected. Alternatively, if you administer backups from a command-line, you can specify the / SNAP:on
switch in the ntbackup.exe command.
The / M switch in the ntbackup command is used to specify the backup type: normal, incremental, differential,
copy, or daily. The / L switch specifies the logging level for backup reports: full, summary, or none. If you
selected Verify data after backup in the Advanced Backup Options dialog box, then Backup would read
the backed up files and compare them to the original files on disk. Doing so would not cause the files that are
being used to be backed up.
Página 53 de 54
Item: 45 (Ref:Cert-70-290.5.2.9)
network contains a file server named Server1, which hosts a large amount of user data in shared folders.
Users access files on Server1 extensively at all times. You must back up user data on Server1. You
configure a backup job on a backup server named BkpSrv. You run the job and notice that some files have
not been backed up. You must ensure that all the necessary files are backed up.

Perform a copy backup instead of a normal backup.
Select the option to append the backup to the media.
Configure the job to run under the user account that has administrative privileges on Server1.
Answer:
Explanation:
In Windows Server 2003, Backup can be configured to back up the files that are currently opened by other
applications. Backup uses the Volume Shadow Copy service to create a snapshot of the files at the moment
before the backup starts. Then, Backup records the files from that snapshot copy without causing contention
for the original files. To configure Backup to use volume shadow copy, you should select the files to be
backed up on the Backup tab of the Backup utility window, click Start Backup, click Advanced, ensure that
Disable volume shadow copy is not selected in the Advanced Backup Options dialog box, click OK and
click Start Backup. By default, the option to disable volume shadow copy is not selected. It appears that you
have accidentally or mistakenly selected it in this scenario.
A copy backup backs up the same files as a normal backup. The only difference between the two backups is
that a copy backup does not clear the Archive attribute on backed up files in order to mark them as having
been backed up. When you click Start Backup on the Backup tab in the Backup utility window, the Backup
Job Information dialog box appears. You can select the option to append the current backup to already
existing backups on the specified backup medium or to overwrite the previous backups. These settings do not
change the way Backup accesses the files that are selected for a backup. To perform a backup, you must be
a member of either the Administrators or Backup Operators group on Server1. Having administrative
privileges on Server1 does not guarantee that volume shadow copy will be used.
Página 54 de 54

Examen A Completo PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Examen A Completo PDF

Transféré par

Droits d'auteur :

Formats disponibles

Página 1 de 54

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

This graphic is not available in print format.

Set oGroup = oOU.Create("Group", "cn=DevTemp")

with the line

Set oGroup = oOU.Create("Group", "cn=Contractors")

Which of the following should you do?

Which of the following should you do?

Which of the following should you do next?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

This graphic is not available in print format.

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following tools should you use?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following tools should you use?

Which of the following should you do first?

Which of the following should you do?

This graphic is not available in print format.

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Which of the following should you do?

Vous aimerez peut-être aussi